430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Macros based malware on the rise (Once Again)

Microsoft is observing a major spike in the volume of malware using macros since the beginning of the year. The infection method was very common in the past I remember when I was starting my career, around 2006 that a lot of the existent malware would arrive to their victims trough Word/Excel macros, and that […]

Macros based malware on the rise (Once Again)

Microsoft is observing a major spike in the volume of malware using macros since the beginning of the year. The infection method was very common in the past

I remember when I was starting my career, around 2006 that a lot of the existent malware would arrive to their victims trough Word/Excel macros, and that was fine by then, but now in the year 2015 macros full of malware are on the rise again, but why?

Back in the golden days of macro’s malware, the executing was depending on the option “macros executing automatically”, but new ones are much more evolved and use social engineering to make the user enabling macros.

malware macros

 

Early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The researchers at Microsoft have seen a major increase in enable-macros based malware, the most active codes included Adnel and Tarbir.

macros malware attacks

Last year experts at TrendLabs observed criminal crews using the Windows PowerShell command shell to spread ROVNIX via malicious macro downloaders. Early this year, the experts noticed cyber criminals were using malicious macros in Microsoft Word Windows to spread the banking malwareVAWTRAK.

An actual example of this is the “Dridex” banking Trojan and “TorrentLocker” ransomware, which is being spread through macros. The point where all start is with spam emails that contain the infected macro, those macros include an XML file that will try to trick the users to enable macros.

“XML files are the old binary format for Office docs and once you double click them to open, the file associated with Microsoft Word and opens,” explained researcher at Trustwave Karl Sigler.

Microsoft Malware Protection Center commented about the tricks used:

“The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person’s curiosity. With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice,” “The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.”

When the user bites the bait the malware starts doing what he was written to, downloading payloads, or installing nasty stuff, remote connecting to a server and install more nasty stuff.

So, the advice here it’s the same as in 2006, be sure that macros are disabled by default and always pay attention on what you click and authorize.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs –  Macros, malware)